DevSecOps Is Not a Job Title: Securing APIs in the Age of Asymmetric Cyberwarfare

By Scott Bly, Director of Security Technologies at SIS
As presented at APIsec|CON 2025

The New Cyber Battlefield: Why API Security Is National Security

“Ladies and gentlemen, we are at war.”
– Scott Bly, APIsec|CON 2025

Cyberattacks are no longer abstract threats—they are tactical weapons in global conflicts. From Russia’s attacks on Ukraine’s power grid to North Korea’s $1.5B crypto heist via a compromised API key, it’s clear: your APIs are now a frontline in modern warfare.

In his eye-opening APIsec|CON 2025 talk, security leader Scott Bly exposed how outdated assumptions about DevSecOps—and poor API hygiene—are leaving organizations vulnerable to attacks with global implications.

The message was clear: if your business builds or manages software, you’re in the fight, whether you like it or not.

Introducing the APIsec DevSecOps Trilogy

Bly unveiled a new three-part DevSecOps course series on APIsec University, built on the U.S. Department of Defense DevSecOps strategy. The curriculum is specifically designed to close the knowledge gap for API-first companies and modern engineering teams.

Part 1: Demystifying DevSecOps

• Breaks down the full software lifecycle
• Highlights cultural and process-driven shifts, not just tool changes
• Ideal for leaders unsure how to define DevSecOps beyond job titles

Part 2: Deep Dives + Tools

• Explores each DevSecOps stage with example tooling
• Offers actionable insights into real-world pipelines

Part 3: API Security Focus

• Zeroes in on API-specific risks and tools
• Includes demos with APIsec.ai and other solutions
• Designed for DevSecOps practitioners in API-driven environments

Shift Left Is Not Enough—Shift Everywhere

Most teams think they’ve “done DevSecOps” by injecting security tools into their CI/CD pipeline—adding SAST, DAST, and maybe a pen test at the end. But according to Bly, that’s DevSec, not DevSecOps.

Real DevSecOps means integrating security across the full lifecycle—from planning and development to release, operation, and feedback. It also means your security telemetry must feed back into your operational SIEM and SOAR systems.

In Bly’s words:

“DevSecOps isn’t just about shifting left. It’s about shifting everywhere.”

APIs: The New Oil, The New Risk

APIs are the backbone of digital innovation—and also the #1 source of security risk.

• 150 billion API attacks occurred between Jan 2023 and Dec 2024.
• 85% of internet traffic now flows through APIs.
• APIs increasingly link organizations, meaning one breach can cascade across partners.

Internal APIs are not safe by default. As Bly noted, “Apparently these people have never heard of ransomware.” Once inside the perimeter—often via phishing or a compromised laptop—attackers can pivot laterally and hit supposedly isolated APIs.

Follow the Money: Real-World Attacks That Started with APIs

US Treasury Breach (2024)

• Cause: API key compromise via BeyondTrust
• Attribution: Chinese state actors

Cloudflare Attack (2023)

• Cause: Stolen HAR files in Okta support breach
• Result: Credential compromise and network infiltration

T-Mobile Breach (2022)

• Cause: Direct API exfiltration of 37 million customer records

BuyBit Heist ($1.5B, 2025)

• Cause: API key abuse via compromised dev environment
• Attribution: North Korean Lazarus Group
• Entry Point: LinkedIn social engineering → malware → S3 bucket tampering

These incidents reveal how API vulnerabilities, poor IAM practices, and developer-targeted exploits all combine into potent breach vectors.

The 4 Pillars of API Security in DevSecOps

1. Discovery
   “If you can’t see it, you can’t protect it.”
   • Inventory management
   • Change tracking
   • Authentication audit
2. Posture Management
   • Vulnerability scans
   • Misconfiguration detection
   • API design review
3. Runtime Protection
   • Anomaly detection
   • Rate limiting and behavior baselining
   • Alerting and mitigation
4. Active Testing (Shift Left)
   • API fuzzing
   • Security unit and integration tests
   • Developer-led testing initiatives

Tooling Alone Isn’t Enough—You Need People and Process

Bly stresses that technology is only one-third of the DevSecOps equation.

• Processes like threat modeling, patch management, and audits are critical.
• People need to be empowered—and incentivized—to prioritize security.

He suggests models like:

• Two-Pizza Teams (Amazon): Small, cross-functional groups owning dev, sec, and ops.
• DevSecOps Center of Excellence: Shared security ownership and training.
• Strike Teams: Embedded security engineers working alongside devs.

And don’t forget training:

“Advocate for a 70/20/10 resource split—70% day job, 20% process improvement, 10% professional development.”

The Metric That Matters Most

When asked what single metric defines a mature security program, Bly offered this:

“Mean time to remediation (MTTR) for critical vulnerabilities.”

Not vanity metrics. Not silence in the headlines. Just speed, visibility, and continuous improvement.

Final Thoughts: DevSecOps Is a Culture, Not a Checkbox

If you’re treating DevSecOps like a compliance requirement or relegating it to a siloed security team, you’re doing it wrong.

Scott Bly’s trilogy doesn’t just teach tools—it reframes DevSecOps as a survival imperative in a landscape where cybercrime funds nation states and APIs are exploited at global scale.

“Our code, our applications, and our infrastructure are the front lines in a new economic war.”

The good news? If you’re reading this, you still have time to act.

Explore the Full DevSecOps Trilogy on APIsec University

• 🎓 DevSecOps Foundations for API Teams
• 🛠️ Advanced Tooling & Lifecycle Management (coming soon)
• 🔐 API Security Deep Dive with Demos (coming soon)

About the Author

Scott Bly is the Director of Security Technologies at SIS, with decades of experience in cloud security, DevOps, API security, and enterprise risk. Formerly of Noname Security and AWS, he now leads security transformation projects at scale.

🧠 Connect with Scott on LinkedIn (but watch for recruiters named “Kim”—he has stories).

‍